Search form

How do I set up unchallenged Secure Shell (SSH) access?

The most secure method of unchallenged SSH authentication is to use RSA/DSA keys with authentication agents. SSH agents give another host secure access to your private keys as if it were local, permitting you to ssh, sftp, or scp using your private keys for authentication, without typing a password.

A less secure method is to use RSA/DSA keys without agents. To do this, follow the instructions below, but enter no passphrase when prompted (just press enter/return), and skip Phase II.

Unchallenged SSH access using agents is set up in two phases:

Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access.

1. Use ssh-keygen to create public and private keys.
2. Populate other from-hosts with the public and private keys (stored securely).
3. Populate to-hosts with the public keys.
4. Test challenged SSH access.

Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access.

1. Use ssh-agent to start an authentication agent.
2. Use ssh-add to add your private keys to the agent.
3. Launch terminal windows as child processes of the SSH agent.
4. Test unchallenged SSH access from these windows.

Detailed Instructions

Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access.

1. Use ssh-keygen to generate keys on the host from which you wish to connect.

By default, ssh-keygen stores generated public and private key files in $HOME/.ssh. At LPL this is an NFS file system, so the data would cross the network in the clear if stored there. Since this data is used to identify the user, the contents must be kept secret, so we use ssh-keygen's -f option to put the key files in /var/.ssh/yourname instead. Contact your system admin to have this directory created, if necessary, using these commands, on all of the from-hosts:

Always use a good passphrase when creating a private key. A passphrase is between 10 and 30 characters long and does not consist of a simple sentence, as a normal English sentence only generates one or two bits of entropy. If you wish to use unchallenged SSH without agents (less secure), then enter no passphrase (just press enter/return).

If you entered a passphrase when running keygen and you don't get the prompt
for your passphrase, then something is wrong.

After completing Phase I, the login process has been changed from being password-prompting to passphrase-prompting. This enables us to use an SSH authentication agent to send our keys, so we may login without any prompting.

Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access.

Ideally, we will type a passphrase once when we sit down at our computer, and every session we establish will use the authentication agent, so we will not need to type passphrases again.

From the SSH agent's c-shell, launch terminal windows, and other windows from them:

$ xterm &

4. Test unchallenged SSH access.

From any of these xterm windows:

$ ssh to-host

How to automate ssh-agent startup.

There are several ways to configure your account to automatically start an ssh-agent. You can have it create a subprocess which inherits the SSH_AUTH_SOCK env variable, or you can run it as a daemon. For example, if you are using gnome on Redhat, put the following line at the

end of your ~/.xsession file:

ssh-agent gnome-session

Now ssh-agent will start, create a socket, set environment variables, and start an X session. All of the child programs of the X server will have access to the agent.

If you are a bash user, an alternative is to start ssh-agent from your
~/.profile or ~/.bash_profile. To do this, add these lines to your
~/.bash_profile: